I prepared two branches, one with the simple adjustment ( https://github.com/heitzjm/solr/tree/CERT_AUTH_PLUGIN_EASY) and another which expose a parameter ( https://github.com/heitzjm/solr/tree/CERT_AUTH_PLUGIN_REQUEST_ATTRIBUTE_PARAM). I applied for a Jira account a few hours ago, so I guess it is just a matter of time until I am able to open an issue and then make a PR referencing the issue.
Le jeu. 28 mai 2026 à 20:47, Gus Heck <[email protected]> a écrit : > That sounds like a bug. Creating a JIRA and a PR would be helpful if you > are able. > > On Thu, May 28, 2026 at 5:43 AM Jean-Marie HEITZ <[email protected]> > wrote: > > > Good morning, > > > > While trying to migrate from SOLR 9 to 10 using the official Docker > images, > > I noticed that authentication using SSL certificates did not work > anymore. > > I found out that, as I was using SOLR_SSL_NEED_CLIENT_AUTH, and that the > > SSL connection level does work and is established, the request attribute > > that carries the client cert is not > > "javax.servlet.request.X509Certificate" anymore in jetty-12, which is > used > > in the Official SOLR Docker image : it > > became "jakarta.servlet.request.X509Certificate". I tested the attribute > > change by building SOLR and the Docker Image from source : it worked. So > I > > guess it might be good to change, or add a parameter to be able to > > configure the lookup attribute in security.json. > > Can someone have a look ? > > > > Besides that, I also tried the CertAuthPlugin User Principal Extraction , > > and noticed something strange with the "subject.dn" path : the order of > the > > components in the Distinguished Name was not the same as the default > > method. In detail : > > - openssl x509 -text outputs O, OU and then CN for the SSL certificate > > - CertAuthPlugin.DEFAULT_PRINCIPAL_RESOLVER gives CN, OU, O > > - Extraction with "subject.dn" gives CN, O, OU > > I assume the Role Based Authorization Plugin uses the principal > extraction > > as a string, so the order of the elements does matter. However, I haven't > > investigated this behavior further yet. > > > > Thanks > > > > Jean-Marie Heitz > > > > > -- > http://www.needhamsoftware.com (work) > https://a.co/d/b2sZLD9 (my fantasy fiction book) >
